6 Replies Latest reply on May 21, 2012 3:12 AM by ascoyne

    Enabling FIPS on ePO

    ascoyne

      We are running ePO 4.6.1.1192 and have recently procured TPD with EEPC.  We are in the testing phase of deploying and configured EEPC 6.1.3 with 7409862 and all is going well, however we have realised that our ePO server is not running in FIPS mode and therefore the client will not run in FIPS.

       

      We have found that following entry https://community.mcafee.com/message/223623#223623 that states to enable FIPS we need to use "setup.exe ENABLEFIPSMODE=1", but it needs to be a clean install of ePO; surely this can't be right?!  Surely we can just apply the lastest ePO server update (4.6.2.234) with the ENABLEFIPSMODE switch and FIPS will be on.

       

      Please can someone advise.

        • 1. Re: Enabling FIPS on ePO
          ascoyne

          Surely this type of question must have been asked before.  Someone from McAfee must know this.

           

          Message was edited by: ascoyne on 01/05/12 05:02:25 CDT
          • 2. Re: Enabling FIPS on ePO
            JoeBidgood

            FIPS configuration is done as part of the initial install, and can't be changed after the fact. If you try and do so the installer won't allow you to and will exit with a "this server cannot be converted to FIPS mode" message.

             

            However I've spoken to my EEPC colleagues, and according to them it is possible to have the clients in FIPS mode without necessarily having the ePO server in FIPS mode as well. I'm trying to find out more information surrounding this.

             

            However, if you require a fully-compliant FIPS environment, both the clients and ePO installation will need to be in FIPS mode.

             

            HTH -

             

            Joe

            • 3. Re: Enabling FIPS on ePO
              ascoyne

              Thanks Joe.

               

              I have read that to be fully FIPS compliant both client and server have to be FIPS enabled.  It is really dispointing about not being able to upgrade ePO to FIPS.

               

              When we first installed ePO, about 3 years ago, we had no idea that in the future we would need to be FIPS enabled - our crystal ball mustn't have been working that day

               

              Due to this oversight by McAfee we will now to build an new server and install ePO from scratch, import of the software, clients, policies etc etc.  This is very poor form by McAfee causing this excessive work.

               

              Thanks again Joe.

              • 4. Re: Enabling FIPS on ePO
                JoeBidgood

                It's a little unfair to call it an "oversight" - my understanding is that it's more to do with the very strict rules surrounding FIPS compliance and validation. It's not possible to upgrade some of the core components that support legacy environments without breaking things, but it's also not possible to achieve FIPS compliance without upgrading those components - hence the installer doesn't allow this.


                Whether or not this can be changed in future versions, I don't know. Presumably once things have evolved to a point where the weakest point in an ePO environment still meets FIPS specifications it will be possible to change FIPS modes without risk, but that's just speculation on my part.

                 

                Regards -

                 

                Joe

                • 5. Re: Enabling FIPS on ePO
                  ascoyne

                  Hi Joe,

                   

                  Perhaps "oversight" is the wrong word, my apologies.  My point is that McAfee have taken the effort to obtain FIPS certification, to which I am greatful, but not provided a mechanism to easily enable it. 

                   

                  I wholly understand that that the reason for the apparent inabililty to perform an inplace upgrade is due the rules regarding FIPS compliance and this has nothing to do with McAfee.  However, before McAfee went for accreditation perhaps they should have been envisaged that some of their current ePO customers would be taking advantaging of the feature and created a specific guide on how to migrate from non-FIPS to FIPS.

                   

                  Up until now I have found that McAfee always provides excellent documentation and I am very surprised that there seems to be very little information on the McAfee Kbase regarding FIPS in general, let alone migrating from one environment to another, hence my reason to resorting the community.

                   

                  Thanks again for the feedback.

                   

                  Regards,

                   

                  Adrian

                  • 6. Re: Enabling FIPS on ePO
                    ascoyne

                    Just to close this thread. 

                     

                    McAfee have officially stated that in order for full FIPS compliance the ePO server and EEPC client must be installed in FIPS mode enabled.  Therefore, if the ePO server was not originally installed with FIPS enabled a new ePO server must be built the setup.exe ENABLEFIPSMODE=1 command.